You need to point them to the easily available security guidance from Microsoft on TechNet. DCs get locked down a heck of a lot harder than regular member servers... that's not changed. With that guidance, at least it's them against Microsoft instead of them against you.
–
K. Brian KelleyAug 14 '09 at 2:24

12 Answers
12

My view is that a DC is a DC and nothing else goes on it. These are the most important servers in your org, and if anything goes wrong with one of them you could be in a position where you've lost everything before you know about it. Anyone who thinks along the lines of "that server is not doing much, let's load as many extra roles as possible onto it" is missing the point and probably doesn't know what they're talking about.

There is also the consideration that DCs don't have local accounts; third party software may not play nice without local accounts, and you may also find that some of it needs to run in an admin context in order to work. Would you let third party software that needs to run in an admin context onto a DC? Especially given that that's normally an indicator that the developers were sloppy enough to take the path of least resistance rather than doing it right? This software made by sloppy developers will be able to do anything to your entire network. (Note: I'm not talking hard and fast rules here, something like a backup agent you probably have no choice about.)

A read only DC is another matter entirely. I would relax the policy of "nothing else goes on it" in such a scenario, but would nonetheless retain a certain measure of caution.

from an IT purist point of you i agree, a DC should only be a DC. How big is your operation & how many DC's do you have? If your small then it may not be such a sin. Small Business Server is a perfect example of everything on the one box & MS supports this config for up to 75 users!

The external IT firms are obviously getting messages like 'we can't afford more IT hardware' from your CEO, which is why they're suggesting DC's. They usually have plenty of capacity & are under-utilized. From your CEO's point of view, this is a great way to save money!

The way i see it, you have two options:

Convince the CEO that the risks &
downside involved in using your DC's
for other services here's some
stuff i can come up with: slower
login times, slower internet (DNS
resolution), security risk for the
WHOLE DOMAIN, which could mean
someone taking control of every
computer in your Active Directory.

Virtualise some/all of your domain
controllers to free up hardware for
other purposes. obviously you dont
want to virtualise all your DC's
onto one physical box.

I wouldn't put anything too 'heavy' on it like Exchange or SQL, nor anything DMZ/client-facing but it should be able to handle smaller internally-facing services like acting as a print server, internal web, ftp, etc.

Aside from security, one of the reasons you want one function per server is to ensure the business doesn't have unnecessary interruptions - that is, if you have to reboot the file server, why should you also have to reboot the exchange server? But having separate servers for each function can be excessively costly, especially for smaller businesses. Virtual machines are great, but they still require licenses.

Some things may not be such a big deal - yes, IDEALLY you'd have a separate DHCP server (two for redundancy) and separate DNS servers and separate... you get the idea... but it's not uncommon and rarely an issue for a DC to also run DHCP and DNS.

What you combine depends on how much their combination will likely affect you. Combining DHCP, DNS, and AD will likely have little to no impact. Combining Exchange, SQL, AD, and IIS could have a huge impact.

As I touched on earlier, VMs are great, but they still live on on server that becomes the single point of failure (unless you properly cluster them over a redundant SAN... but then your costs easily move into the 5 figure range... maybe more.

As for putting Exchange on a DC - in general, it is recommended you do not. SBS and EBS are exceptions to this. It IS a supported configuration, but generally not a "Best Practices" configuration.

I agree with the "No's" on this one. Once someone exploits a layered product / application vulnerability they have access to your AD files which is a bit more than slightly less than desirable. Most hacking attempts happen internally...

In years past I've had to deal with the odd compromised member server. One of the first things the attacker-bot toolkits do is suck the local password hashes. Rainbow tables are clearly in use, as I saw the timestamps between the hash extract and the clear-text version of the passwords differ by all of 15 minutes. And this was 3 years ago.

A compromise like that on a domain controller will give the attackers the entire AD hash list. Unless you completely disabled LM password hashes several years ago, this will completely compromise any password under 14 (or 16, can't remember which) characters in length. Regardless of complexity. THAT is a statistic you can take to the higher-ups in defense of keeping everything but DC/DNS (and maybe WINS if you need it) off of your domain controllers.

Generally the rule is NO, and it's a valid rule
It's easy for PHBs to want the underutilized system to be more value for money, but a DC is a DC, and it should stay as one

Domain controllers can be hard enough to troubleshoot at the best of times, couple that with added services and your really asking for a PITA

Some of the services you listed are big no no's, and whilst a DC is usually a pretty underutilized system in anything but the larger enterprises, it's still one of the most important boxes in the company

Have you considered virtualization? are you trying to maximize use of hardware or minimize software licensing costs?

a DC requires a windows license, well, both of them do, you do have at least two right?

if it's a hardware utilization issue, you should really look into virtualization, DCs are prime candidates for virtualization, and you could easily handle the load of most DCs and additional services on a handful of virtualization hosts

With Microsofts datacenter edition licensing benefits when used on virtual systems, you can really cut down on licensing costs too given the right circumstances

Nope...especially not any modern version of Exchange which should really be ran on multiple stand-alone servers depending on scale. Also, what happens when it comes time to upgrade? You want to upgrade your DC to 2008 but your apps don't support it. Definitely keep them separate and clean.

I run IT in an SME and I appreciate that servers are expensive, my DC's also run DNS and DHCP but that's it.

If you want to demonstrate to your boss / suppliers that this is the way forward, show them this page. There are a load of smart people with intelligent, well thought out answers on here and generally they're all saying the same thing.